Medical device risk mitigation is perhaps the most pressing issue for healthcare CIOs

Hackers see hospitals as treasure troves; they hold our most sensitive data, including medical records, financial information, and pretty much every piece of personal data which makes us distinguishable as an individual (think full name, date of birth, SSN’s and financial info)- more or less all the information which allows a cybercriminal to open up numerous credit cards, and commit fraud. Not only this, but if criminals do manage to break into hospital systems, they have the ability to manipulate data which could cause large scale service disruption- and in the very worst-case scenario, could pose a serious threat to patient safety. With the numbers of connected devices in the hospital ecosystem increasing constantly, security is often called into question. As Harvard’s International Healthcare Innovation Professor, I have seen this first hand, and it has become a worldwide issue.

Every day we see breaches making headlines- from big companies and email providers to banks and healthcare insurance providers. However, it tends to be forgotten that there are holes within the medical ecosystem that must be plugged to avoid breaches of this kind, too. Everything from I.V. pumps to X-Ray machines are computer operated and, as with most medical devices in today’s society, are connected to the internet in some way. Breaches of patient information could be catastrophic; just last year, WannaCry crippled NHS computer systems in the UK. Whilst systems were held to ransom, surgeries were cancelled, and urgent care was severely delayed. By getting their hands on data of this kind, hackers could not only go onto commit identity and financial fraud, but in some cases, use the information they have stolen to blackmail victims. Medical data is unique in a way in which it cannot be redacted- it can lead to reputational damage, and can cause the individual victim significant harm. Not only this, but hackers could also go on to manipulate the data to make it untrustworthy, something which could result in poor hospital care. Essentially, hospitals do not only have to worry about data theft, but also data corruption, which could result in large scale disruption of services.

As connected medical devices often do not have security ‘built in’ per say, I believe that risk mitigation of medical devices connected to hospital networks is perhaps the most pressing issue for healthcare CIOs around the world. The risk mitigation is, of course, not only the responsibility of the CIO and more and more, we are seeing cybersecurity being treated as a board level issue; thus, it is the CEO, the COO, the CFO, the CIO- the whole executive suite- working together to reduce cybersecurity risks. Movement in this direction is positive, and if there are hospitals that still think it’s an “IT problem” – they should be concerned, as it’s very challenging to implement change and IT driven initiatives are rarely successful. Boards must not attempt to wait the challenge out and end up with a huge cyber incident on their hands before waking up, and engaging in cybersecurity.

When you look at any risk heat map, the map across healthcare consistently points out IoT connected devices as the most, if not one of the top 10, persistent risks. As a CIO myself, I wanted to be a part of solving this problem. I was fortunate enough to visit Israel in late 2017 with a delegation led by Charlie Baker, the governor of Massachusetts, with the aim of improving relationships between Massachusetts and Israel, specifically focusing on digital health innovation and cybersecurity. I have always appreciated the sophistication of cyber security companies in Israel; the 8200 produces some of the world’s best cybersecurity experts, who found groundbreaking, innovative start-up companies. Having the opportunity to work with an Israeli cybersecurity start-up is clearly an attractive prospect, and Cynerio’s team demonstrated it has the right qualities to address important issues by combining expertise in cybersecurity, medical devices, machine learning and healthcare workflow. Cynerio’s technology detects anomalies affecting connected medical devices using machine learning. It has studied millions of transactions, and can detect variations with a high positive predictive value. By combining device behavior learning with medical workflow analysis, their technology provides visibility into activity on the network, detecting anomalies and threats to patient safety and data protection.

John D. Halamka, MD, MS, is Chief Information Officer of Beth Israel Deaconess Medical Center, Chairman of the New England Healthcare Exchange Network (NEHEN), Co-Chair of the HIT Standards Committee, a full Professor at Harvard Medical School, and a practicing Emergency Physician.